This week’s Compliance News Flash features information on New York City’s pay equity law, stats on FCRA litigation, personnel moves at the Federal Trade Commission, news about a Form I-9 scam, and information about my presentation on developing a compliant background screening at my firm’s upcoming Employment Law Seminar in Atlanta.

Click here to read my News Flash.

The Federal Trade Commission (FTC) recently announced reforms to its internal processes to streamline information requests and improve transparency in Commission investigations.  Quick tutorial — the FTC may issue Civil Investigative Demands (CIDs) pursuant to the FTC Act to investigate possible “unfair or deceptive acts or practices” against consumers.

Stemming from the work of the internal Working Groups on Agency Reform and Efficiency, the Bureau of Consumer Protection (BCP) identified best practices and announced reforms related to Civil Investigative Demands (CIDs), which the agency issues in consumer protection cases. The reforms include:

  • Providing plain language descriptions of the CID process and developing business education materials to help small businesses understand how to comply;
  • Adding more detailed descriptions of the scope and purpose of investigations to give companies a better understanding of the information the agency seeks;
  • Where appropriate, limiting the relevant time periods to minimize undue burden on companies;
  • Where appropriate, significantly reducing the length and complexity of CID instructions for providing electronically stored data; and
  • Where appropriate, increasing response times for CIDs (for example, often 21 days to 30 days for targets, and 14 days to 21 days for third parties) to improve the quality and timeliness of compliance by recipients.

In addition, BCP will adhere to its current practice of communicating with investigation targets concerning the status of investigations at least every six months after they comply with the CID.

For those who have been the subject of a CID this won’t take away the pain of having to respond, but moving forward it will help mitigate some of the pain for those subject to a CID.

I would like to congratulate a partner and colleague at my firm — Tom Pahl — who although he is leaving us, is leaving for a very good reason.  Federal Trade Commission (FTC) Acting Chairman Maureen Ohlhausen announced this week that she has appointed Tom Pahl, a partner at the Washington, D.C. law firm of Arnall Golden Gregory LLP, to be the Acting Director of the FTC’s Bureau of Consumer Protection.  This is a big deal!!  Tom replaces Jessica Rich who is leaving the FTC later this month.

To read the FTC’s press release click here.  To read more about Tom’s appointment click here, and here, and here.

Congratulations Tom!

The Federal Trade Commission (“FTC”) recently issued guidance applicable to background screening companies (aka consumer reporting agencies) who engage in tenant screening.  The FTC highlights four key responsibilities of background screening companies covered by the Fair Credit Reporting Act (“FCRA”), specifically:

  • “Follow reasonable procedures to ensure accuracy.
  • Get certifications from your clients.
  • Provide your clients with information about the FCRA.
  • Honor the rights of applicants and tenants.”

For background screening companies I encourage you to look at those responsibilities as described in the guidance carefully because the FTC opines on what “reasonable procedures to ensure accuracy” are and those should be read to apply to employment screening as well.  The FTC states, “[c]ertain practices may be indicators that a background screening company isn’t following reasonable procedures. For example, if a report lists criminal convictions for people other than the applicant or tenant – for instance, a person with a middle name or date of birth different from the applicant’s – that raises FCRA compliance concerns. Other examples that raise FCRA compliance concerns include screening reports with multiple entries for the same offense or that list criminal records that have been expunged or otherwise sealed.  Another indication that a company’s procedures might not be reasonable are reports that list housing court actions, but do not include the outcome of the action – for instance, that a case was resolved in the tenant’s favor.”

Background screeners–notice that the FTC calls out reports with multiple entries for the same offense, the reporting of expunged or sealed records, reports with no dispositions, and finally, the failure to use a middle name to ensure accuracy.

Yesterday I attended an interesting webinar regarding Fair Credit Reporting Act (FCRA) developments.  Susan Camp Stocks from the Consumer Financial Protection Bureau (CFPB) and Katherine Ripley White from the Federal Trade Commission (FTC) participated, along with my colleagues Bob Belair and Kevin Coy. The speakers covered a fair amount of ground on different FCRA issues, including the importance of furnishers of information having written policies and procedures.  However, I want to focus on what they said about the background screening industry.

FTC Comments

  • They are focusing on background screening and in particular the use of criminal history records in employment screening
  • Accuracy of the reports is essential
  • Red flags that background screeners should review/consider when reporting public records — different names or DOBs, multiple entries for the same offense, and the reporting of expunged cases
  • They are working with the Federal Interagency Reentry Council to address accuracy related issues in the criminal justice system
  • They will turn their attention to focus on tenant screening in the next year and it is likely that we will see revised guidance in this area

CFPB Comments

  • Among their policy priorities is consumer reporting
  • It appeared that there is a belief that there is weak oversight of public record providers and that they believe more audits of such providers should be conducted to address accuracy issues
  • Accuracy of the reports is very important to them and they spoke about the enforcement action against General Information Services and e-Backgroundchecks.com to illustrate the point

The Federal Trade Commission (FTC) just issued guidance for companies providing employment screening services.   According to the FTC, they have “created new guidance for businesses aimed at giving employment background screening companies information on how to comply with the Fair Credit Reporting Act (FCRA).” The FTC is referring to it as an “FCRA brochure” … I guess like a travel brochure you would pick up at a travel agency.  Anyhow, click here to view the FTC’s blog posting on this subject.

As a practitioner in this area I don’t see anything particularly ground breaking or earth shattering about the FTC’s publication.  I think this publication will be most helpful for newer participants in the background screening industry.

My main takeaways for seasoned background screening firms is that the guidance provides insight into potentially what the FTC considers most important.  FTC — if you are reading this, everything about you and the FCRA is important.  Key points for background screeners to focus on with respect to their compliance programs:

  • Accuracy of the reports — use your identifiers and check your identifiers on the reports (including middle initials); don’t provide reports with multiple entries for the same offense; and for crying out loud don’t report expunged or sealed records.
  • Know your customer before furnishing consumer reports and get your section 604(b) certifications.
  • Provide the appropriate federal notices to users and subjects of the reports.
  • Have consumer dispute procedures in place to appropriately respond to disputes or file requests, conduct reasonable reinvestigations and provide notices to consumers about the results of any reinvestigation.  And finally, don’t make it difficult or challenging for a consumer to request their file or dispute a report.
  • When reporting public records that are likely to have an adverse effect on the consumer’s ability to obtain employment, either provide consumers with notice or follow “strict procedures” as per section 613 of the FCRA.

Above points shouldn’t come as a surprise to seasoned background screening firms.  If they do, or you are not familiar with any of these points, speak with an FCRA attorney to come up to speed on these rapido (that’s Spanish for “fast”).

Section 613 of the Fair Credit Reporting Act (FCRA) requires that consumer reporting agencies (CRAs), when reporting a consumer report for employment purposes which contains public record information, which are likely have an adverse effect upon a consumer’s ability to obtain employment, must either follow strict procedures or send notice to the consumer.  Both the law, and the Federal Trade Commission (FTC), are clear that CRAs can select either option and are not required to follow both 613(a)(1) and 613(a)(2).  But the ridiculous amount of FCRA-related litigation has CRAs wondering…should I do both?  I’m not legally required to do both, but should I have both strict procedures in place and send notice to cover all my bases from a litigation perspective?  While this blog posting is not intended to offer legal advice, I am happy to discuss this broader issue with CRAs offline.  For purposes of this blog, I will leave you with this nugget.

The FCRA does not define “at the time”, which is part of the notice provision of section 613(a)(1).  The full section reads, “at the time such public record information is reported to the user of such consumer report, notify the consumer of the fact that public record information is being reported by the consumer reporting agency, together with the name and address of the person to whom such information is being reported;”.  A recent district court opinion in the rocket docket, the 4th Circuit, provides a very generous reading of the notice provision.  The case, Rodriguez v. Equifax Information Services, LLC (1:14-cv-01142) (E.D. Va., July 17, 2015), involves an employee who applied for a position with the Office of Personnel Management (OPM).  Two relevant facts — the plaintiff’s security clearance was approved and he never actually received the notice.   However, essentially held that Equifax Information Services had an appropriate process in place to provide notice to consumers.  The process included sending notices by mail the following business day (and in some instances two business days later), after the report had been provided to OPM.

Key takeaways from the Court’s Memorandum Opinion (“Opinion”):

  1. The Court states that the “at the time” requirement is ambiguous (which is true) and there is “more than one reasonable interpretation of what that requirement means.” (Opinion, p. 9)
  2. The Court states that “Congress did not impose a ‘same time’ requirement with respect to the receipt of the notice; and in 2000, the Federal Trade Commission interpreted the ‘at the time’ requirement to permit the mailing” of such a notice. (Opinion, p. 9)  This we already know and more specifically what the FTC says is, “A CRA may use first class mail or other reasonable means to notify consumers that it is providing public record information for employment purposes under subsection (a)(1).” (See, 40 Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report with Summary of Interpretations, p. 81).
  3. This takeaway is very helpful for CRAs using the notice option of section 613.  The Court does not require parity with the method by which the notice is sent.  Meaning, a CRA can send the notice by automated/electronic means to the employer and by mail to the consumer. The Court states that they “cannot conclude that the text of the statute requires such technological symmetry during periods of technological innovation so long as the system initiated, at the same time a report to OPM was initiated, a process that was designed to deliver notice to the consumer according to a reasonable, standard and accepted method of delivery.” (Opinion, p. 9)

 

Recently the Federal Trade Commission (FTC) issued a guide, Start with Security: A Guide for Business, which pulls from lessons learned from the 50+ data security enforcement actions that the FTC has announced.  To be clear, these actions are settlements and not court orders.  Nonetheless, the “ten lessons” they provide in the guide are worth reading and thinking about how they apply to your company.  Below top ten lessons are (literally) taken from the FTC’s guide and I then add a few summary sentences:

  1. Start with security — when it comes to data collection, use and retention, less is better.  As the guide says, “by making conscious choices about the kind of information you collect, how long you keep it, and who can access it, you can reduce the risk of data compromise down the road.”  If you don’t need driver’s license information or Social Security numbers on a particular form…don’t collect them just to collect them.
  2. Control access to data sensibly — not all employees need to have access to everything, be it paper files, the network, administrative controls.  Pull the reins on that horse, cowboy!  Limit and restrict access to data, especially sensitive data.
  3. Require secure passwords and authentication — the word “password” is not a secure password.  Enough said.  Also, implement a policy to suspend or disable accounts after repeated log in attempts to reduce the risk of an attack being successful.  Test for common vulnerabilities and widely known security flaws, such as “predictable resource location” where hackers can bypass the web app’s authentication screen and gain unauthorized access.
  4. Store sensitive personal information securely and protect it during transmission — in other words, be in it for the long haul and protect data at all stages.  Make sure your company properly implements encryption and SSL protocols, and use industry-tested methods not some $9.99 summer special.
  5. Segment your network and monitor who’s trying to get in and out — limit access and have in place strong intrusion detection and prevention tools.
  6. Secure remote access to your network — remote access is a curse and a blessing, depending on how you look at it.  It also challenges a company’s data security policies and procedures. Ensure endpoint security and have firewalls and updated antivirus software in place.  Also, limit third party access to what is needed.
  7. Apply sound security practices when developing new products — if a company is pushing out a new mobile app or software, they need to ensure their engineers are trained in secure coding practices, don’t turn off SSL certification validation and test for common vulnerabilities.  The FTC cites the Open Web Application Security Project as a resource for identifying commonly-known vulnerabilities. Finally, a big one for the FTC — do what you say you will do.  In other words, if your company’s mobile app or software features specific privacy and security settings, the product needs to live up to those features/representations.
  8. Make sure your services providers implement reasonable security measures — in other words, company’s need to police their vendors to ensure their data security practices are reasonable.  Security standards should be incorporated into the terms of service agreements and compliance should be audited.
  9. Put procedures in place to keep your security current and address vulnerabilities that may arise — have policies and procedures in place to update/patch third party software as well as to receive and act on security alerts.
  10. Secure paper, physical media, and devices — not all data is collected and maintained in electronic format.  Data security applies to hard copy documents as well and confidential information there needs to be protected every bit as much as if it is in electronic form.  When sensitive data is no longer needed, company’s should properly dispose of it by shredding, burning or pulverizing documents if paper documents.  Throwing documents with sensitive personal information in the trash can is strictly verboten.

Not rocket science, but given the enforcement actions brought by the FTC, companies suffer from these mistakes and failures.   For more details on each point above, and to learn about some of the companies impacted by these enforcement actions, click here to read the guide.

I recognize this is a few days late, but the content is still timely.  Last month I attended the NAPBS Mid-Year Conference in Washington, DC both as an attendee and speaker. One session of particular interest to me was Maneesha Mittal’s presentation.  Maneesha is the Associate Director of the Division of Privacy and Identity Protection at the Federal Trade Commission (FTC).  Her team is the team that would bring an enforcement action against a background screening company for non-compliance under the Fair Credit Reporting Act (FCRA).

Below are the take-away points I found most helpful for purposes of my day to day practice advising background screening companies on their compliance with the FCRA:

  • Reasonable security of data – Maneesha stressed the importance of “knowing your customer” when transacting with them and provided examples of companies who failed to maintain appropriate data security through reasonable procedures, and failed to ensure a permissible purpose to the reports (e.g., ACRAnet, Inc., SettlementOne Credit Corporation, Statewide Credit Services).
  • The FCRA applies equally to social media when used for background screening purposes and she gave as examples the FTC letter to Social Intelligence Corporation and the ongoing Spokeo v. Robins case.  For the Spokeo case, note that the U.S. Supreme Court granted cert. and will take up this important case next year.  The Spokeo case goes to the issue of whether a plaintiff has to show actual injury in fact in order to have Article III standing, or whether a mere violation of the statute is sufficient to bring suit.  Let’s hope the former and not the latter.
  • Companies cannot disclaim liability under the FCRA and then proceed to sell information to employers which could be used for background screening purposes.  As an example she cited the settlement against Filiquarian Publishing LLC, Choice Level LLC and their CEO for alleged failure to ensure that the information they sold was accurate and could only be used for a permissible purposes.   In this matter, the maker of the mobile app claimed that users could use the app to conduct criminal background searches on individuals but used disclaimers stating that they were not FCRA complaint and that the products should not be used for employment screening purposes.
  • Accuracy of the reports – reports with multiple entries listing the same offense are not acceptable. Basically, a data dump is not acceptable as it does not comply with the FCRA requirement to maintain maximum possible accuracy.  As an example she cited the HireRight Solutions enforcement action and settlement.
  • Consumer disclosures — have adequate staff to respond to consumer requests for their reports.
  • Use of section 603(y) of the FCRA as a defense to litigation is on the rise.  It is the FTC ‘s opinion that this section of the FCRA, which relates to investigations of suspected employee misconduct, is only intended to cover current employees and not job applicants.  Stay tuned for potential guidance from the FTC on this point.
  • U.S. based background screening companies doing background checks on international employees – the FCRA would apply.
  • Regarding the amicus brief in Moran v. The Screening Pros tied to section 605 of the FCRA and the obsolescence rule for dismissals, this is an FTC “opinion” and not just a staff view as the Commission approved the FTC’s participation in the amicus brief.